diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/Changelog.md | 2 | ||||
| -rw-r--r-- | docs/custom_mutators.md | 13 | ||||
| -rw-r--r-- | docs/technical_details.md | 5 |
3 files changed, 15 insertions, 5 deletions
diff --git a/docs/Changelog.md b/docs/Changelog.md index d5c2a279..57a78691 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -16,6 +16,8 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - afl-fuzz basic tools now report on the environment variables picked up - more tools get environment variable usage info in the help output - AFL_AUTORESUME will resume execution without the need to specify `-i -` + - afl-tmin now supports hang mode `-H` to minimize hangs + - fixed potential afl-tmin missbehavior for targets with multiple hangs ### Version ++2.62c (release): diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index 4deb07e1..b31a2e4f 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -28,13 +28,14 @@ performed with the custom mutator. C/C++: ```c void afl_custom_init(unsigned int seed); -size_t afl_custom_fuzz(u8* buf, size_t buf_size, - u8* add_buf, size_t add_buf_size, - u8* mutated_out, size_t max_size); +size_t afl_custom_fuzz(u8** buf, size_t buf_size, u8* add_buf, + size_t add_buf_size, size_t max_size); size_t afl_custom_pre_save(u8* buf, size_t buf_size, u8** out_buf); u32 afl_custom_init_trim(u8* buf, size_t buf_size); void afl_custom_trim(u8** out_buf, size_t* out_buf_size); u32 afl_custom_post_trim(u8 success); +size_t afl_custom_havoc_mutation(uint8_t** buf, size_t buf_size, size_t max_size); +uint8_t afl_custom_havoc_mutation_probability(void); ``` Python: @@ -56,6 +57,12 @@ def trim(): def post_trim(success): return next_index + +def havoc_mutation(buf, max_size): + return mutated_out + +def havoc_mutation_probability(): + return probability # int in [0, 100] ``` ### Custom Mutation diff --git a/docs/technical_details.md b/docs/technical_details.md index 996bf162..a0453c91 100644 --- a/docs/technical_details.md +++ b/docs/technical_details.md @@ -286,8 +286,9 @@ operation of `afl-tmin` is as follows. First, the tool automatically selects the operating mode. If the initial input crashes the target binary, afl-tmin will run in non-instrumented mode, simply -keeping any tweaks that produce a simpler file but still crash the target. If -the target is non-crashing, the tool uses an instrumented mode and keeps only +keeping any tweaks that produce a simpler file but still crash the target. +The same mode is used for hangs, if `-H` (hang mode) is specified. +If the target is non-crashing, the tool uses an instrumented mode and keeps only the tweaks that produce exactly the same execution path. The actual minimization algorithm is: |